Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Support tls version #240

Merged
merged 3 commits into from Aug 12, 2019
Merged

Support tls version #240

merged 3 commits into from Aug 12, 2019

Conversation

drexler
Copy link
Contributor

@drexler drexler commented Jul 10, 2019
edited by captainsidd

Fixes #236

Description of Issue Fixed
This adds a new paramater securityPolicy which allows for setting the TLS version to be used by the created custom domain.

custom:
  customDomain:
    securityPolicy: tls_1_0 | tls_1_2

@vt-cwalker
Copy link

Thanks for implementing this @drexler . I was looking for something like this as well. However, would it be better to default to the more secure TLS1.2 instead of TLS1.0? I know AWS defaults to TLS1.0 for more backwards compatibility, but just wondering what others thought about this as well.

Also in the documentation addition, it seems you put in tls_1_2 but in the code you default to tls_1_0. So may seem to users reading docs that it may default to tls_1_2.

@drexler
Copy link
Contributor Author

drexler commented Jul 26, 2019

@rts-cwalker i intentionally kept the default in line with AWS defaults. I think going forward that will prevent surprises when users install it. Also, the documentation update i did does specify tls_1_0 as the default.

@vt-cwalker
Copy link

vt-cwalker commented Jul 29, 2019
edited

@rts-cwalker i intentionally kept the default in line with AWS defaults. I think going forward that will prevent surprises when users install it. Also, the documentation update i did does specify tls_1_0 as the default.

@drexler Actually, looks like AWS defaults to TLS1.2 for any new custom APIGW domains now. I just tried created a new one via AWS console and it defaults to TLS1.2 now. Maybe this allows us to default to 1.2 now in this plugin as well?

@drexler
Copy link
Contributor Author

drexler commented Jul 29, 2019

@drexler Actually, looks like AWS defaults to TLS1.2 for any new custom APIGW domains now. I just tried created a new one via AWS console and it defaults to TLS1.2 now. Maybe this allows us to default to 1.2 now in this plugin as well?

@rts-cwalker good catch 👍 . You're right and i've updated my PR to now default to TLS v1.2

@vt-cwalker
Copy link

@drexler Cool looks good. Except does this line need to be changed as well? https://github.com/amplify-education/serverless-domain-manager/pull/240/files#diff-938360079f2a94b0aa5704b05ac404f5R18

@drexler
Copy link
Contributor Author

drexler commented Aug 8, 2019

@rts-cwalker oops. I'll address that.

@captainsidd
Copy link
Contributor

captainsidd commented Aug 12, 2019
edited

Hey everyone - this looks good to me. Thanks again for taking the time to implement this feature. I'll go ahead and merge this PR.

@captainsidd captainsidd merged commit fcf6c6e into amplify-education:master Aug 12, 2019
@captainsidd captainsidd mentioned this pull request Aug 13, 2019
Closed
@uccmen
Copy link

uccmen commented Nov 21, 2019

Hey guys, sorry to bring this up here now but what if I already created the domain previously and would like to update my securityPolicy to use 1.2?
based on the source code, the tls version is only applied during creation.

@uccmen
Copy link

uccmen commented Nov 25, 2019

Please ignore my above comment, just read the Known Issues section on README.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@captainsidd captainsidd captainsidd approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Add ability to pick between TLS1.0 and TLS1.2 for Custom Domains
4 participants
@drexler @vt-cwalker @captainsidd @uccmen